[CentOS] Fwd: Heads up: OpenSSH users

Thu Jan 14 18:49:57 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Thu, January 14, 2016 11:46 am, m.roth at 5-cent.us wrote:
> Timo Schöler wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote:
>>> Michael H wrote:
>>>> Probably worth a read...
>>>>
>>>> http://www.openssh.com/txt/release-7.1p2
>>>>
>>>>> Important SSH patch coming soon.  For now, everyone on all
>>>>> operating systems, please do the following:
>>>>>
>>>>> Add undocumented "UseRoaming no" to ssh_config or use
>>>>> "-oUseRoaming=no" to prevent upcoming #openssh client bug
>>>>> CVE-2016-0777. More later.
>>>>
>>>> echo "UseRoaming no" >> /etc/ssh/ssh_config
>>>
>>> Please clarify - will the update add *Roam* to
>>> /etc/ssh/ssh_config?
>>
>> It will fix the bug.
>>
>>> I've just checked on two systems that are CentOS 7, a server, and
>>> a workstation that I literally built yesterday, and grep -i on
>>> both reports "no, not here".
>>
>> Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD
>> 5.9 (pre-release, it's going to be released on May 1st, 2016) does not
>> mention it.
>
> Undocumented? You're saying that there's a feature that is configurable
> via the configuration file, and there's no mention of it at all in the
> configuration file, not even the default?
>
> That is more than slightly unacceptable.
>

More than agree! I was highly respecting OpenBSD project, especially for
their openssh. After scandal with OpenBSD IPSEC stack backdoor
accusations, my respect faded grossly, and I felt extremely happy my
choice of system for servers fell on FreeBSD, not OpenBSD (for some
independent reason)...

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++